Coming in 2014: Death by Internet
Everybody knows what the top online threats will be in 2013; they will be a continuation of the threats we already are facing, say the researchers at the security company Internet Identity.
“Anybody can do 2013 predictions,” said Paul Ferguson, IID vice president of threat intelligence. “So we decided to be bold and do predictions for 2014.”
The predictions are not comforting. They include death by Internet-connected devices and the use of emerging near field communications (NFC) in smart phones for large-scale fraud and theft.
Making predictions a year or more out is not that difficult when it involves emerging technologies, Ferguson said. The timeline for adoption of new mobile functionality such as NFC on smart phones falls into the 12-to-18 month range. Though many of the applications or similar apps — the technology also is expected to be used in physical authentication, such as access systems to government or other public-sector buildings. As NFC catches on, it could also be used in some government transactions.
The first phones using NFC already have appeared, such as the Samsung Galaxy S III, which can be used as a hardware security token much like a contactless card and can share data with other similarly equipped phones. The technology is expected to take off in 2014, with Juniper Research predicting that nearly one in five smart phones will have it worldwide, and this will spur development of e-commerce applications.
It is not the NFC protocols themselves that pose the risk, Ferguson said. “It’s all of the apps that interface with that technology.” Almost all e-commerce and banking applications have vulnerabilities in their first year, he said. He warned that as the use of NFC for transactions reaches critical mass in 2014, cybercriminals will turn their attention to these applications to gain access to accounts, and the first generation of apps are likely to provide low-hanging fruit for them.
The second major threat on the horizon stems from the growing use of the Internet to monitor and control medical devices, which opens the door for the intentional or unintentional use of malware to kill.
Proof of concept attacks to control or disrupt Internet enabled medical devices have been publicly demonstrated, and the unintended consequences of malicious code released in the wild could include the death of patients. “That is probably the most likely scenario,” Ferguson said. But he does not rule out the possibility that devices could be intentionally targeted to kill someone.
This is a subset of the broader issue presented by industrial control and SCADA systems that are used to monitor and control critical operations in government and private-sector enterprises. They represent the nexus of IT and physical systems and open the door to the use of cyber weapons against physical targets. The first instances of such incidents in the health care field already have been seen in the U.K., where disruption of an emergency room admissions system forced patients to be turned away and sent to other facilities, Ferguson said.
“We’re moving toward the point where people will target life-support systems,” he said.